The Loop Doesn't Loop Back
"I don't prompt Claude anymore. I have loops running that prompt Claude and figuring out what to do. My job is to write loops." That's Boris Cherny, and it names the unit of work that has quietly replaced the prompt. The loop — a harness that hands a task to a machine, judges the result, and decides whether to keep going — is now the thing people build, the thing attackers run, and the thing maintainers can't keep up with. The same primitive points in three directions this week, and the trouble in all three rhymes: production, attack, and pressure scale with the loop, while comprehension, defense, and maintenance still rest on single humans who don't scale at all.
The Harness Loop
Armin Ronacher draws the line between two loops. There's the agent loop everyone knows — call a tool, read a file, run the tests, say "done." And there's the harness loop that sits outside it, refusing the "done," injecting another message, spawning a fresh session, keeping the task alive past the point the model would have stopped. Cherny's job is writing that outer one.
Ronacher is candid that the outer loop works astonishingly well in a specific shape: porting (parts of Bun from Zig to Rust; he moved MiniJinja to Go himself), performance exploration, security scanning, research — anything that transforms code that already exists or produces artifacts with no shelf life. A binary test or an LLM judge supplies the signal, and the loop searches. What it's bad at is the code he cares about. Present-day models, he writes, are "mortally terrified of exceptions" — Karpathy's phrase — observing a local failure and adding a local defense rather than making the bad state unrepresentable. Put that behind a loop and you amplify it: "If each iteration adds another small defense, the system slowly becomes less understandable while appearing more robust."
The deeper discomfort isn't quality. It's authorship of the "done" signal. In the agent loop the model says done and a human reviews; in the harness loop the harness decides, judged by yet another machine, and the human's role dissolves into something Ronacher can't name. He reaches for a metaphor: software moving from machine to organism. You monitor it, stabilize it, treat its symptoms — but you no longer comprehend it. Some software, he allows, doesn't deserve human authorship. The unease is that the choice of which software may stop being yours.
You Cannot Opt Out
Because the loop is not optional. Ronacher's plainest case is security: even if you never point a loop at your own code, others will point loops at it — attackers and researchers continuously, the noise and the occasional real finding arriving at a volume no one can field by hand. He points to Daniel Stenberg's curl, where maintainers are buried under AI-generated vulnerability reports, most of them junk. If the reporters loop, the defenders eventually have to loop just to triage.
Last week this newsletter took apart a single instance of the attack side — a fake recruiter, a stolen commit history, an npm prepare script that ran a backdoor on install.1 Manish Goregaokar's account of the con run in a for loop supplies the distribution that one-off was drawn from. Adversary capability used to be bimodal: cheap and untargeted at one end (the implausible prince email, engineered so the savvy self-select out), expensive and targeted at the other (the $25M deepfake-CFO call). Tech-savvy people were safe in the gap — not unscammable, but a personalized attack didn't parallelize. James Mickens' line held: you're dealing with Mossad or not-Mossad, and not-Mossad couldn't afford you.
LLMs fill the middle. Spearphishing ran about 4¢ an email in 2024; a full interview-scam con costs more but still pennies against the payoff, and it runs a thousand times at once. Scaling buys patience (a loop goes dormant for months, waiting for the vacation it found on your calendar), composition (a small scam to recruit a money mule for a large one), and new targets (a thousand compromised accounts is a thousand authenticated positions, and "the optimal amount of fraud is nonzero" becomes a gaping hole when a thousand accounts hit it at once). The heuristics that protected the savvy — fluent writing means a real person, a strong web presence is too costly to fake, a relative's voice can't be cloned — were all proxies for cost or capability. Both foundations crumble at once.
The Substrate Can't Loop Back
Point the loop at infrastructure and you find what's holding it up. Andrew Nesbitt's reckoning with open source as an economic object is the sound of every market axiom breaking: non-excludable goods at a price of zero, a median producer headcount of one, SQLite priced identically to a week-old typosquat with a miner in its install hook, ten million downloads a week and still a single maintainer because demand has no channel to act on supply. npm install delivers a few hundred of these impossible goods in seconds, and the commercial software industry sits on top of them.
That's the substrate the loop runs on — and against. curl is the hinge between Ronacher and Nesbitt: a dependency the whole world ships, kept alive by people drowning in machine-generated reports. The asymmetry is the story. Attackers loop, reporters loop, competitive pressure loops — and the maintainer is one tired person who cannot loop back at the same rate. Every proposed fix — bug bounties, sponsorship marketplaces, criticality scores — tries to manufacture the price open source never had, and each needs a number to stand in for value. The number anyone actually wants, Nesbitt notes, is who is keeping this running, how close they are to stopping, and whether a report would reach a human at all.
Stack Ronacher's top against Nesbitt's bottom and the shape comes clear. We are assembling a stack that, at the top, increasingly "assumes machine participation as part of its maintenance model" — written by loops, reviewed by loops, patched by loops — and that, at the bottom, rests on single humans with no price signal and no liability. The reception bottleneck prior editions located inside the firm extends all the way to the floor of the dependency graph, where one unpaid person absorbs the output of everyone's loops at once.
A Year Ago
A year ago this week, the same Armin Ronacher published an open-source library written almost entirely by Claude — sloppy-xml-py. Simon Willison's verdict was that the code was genuinely good, and his explanation came down to one word: control. "The code is good because Armin is an expert programmer who stayed in full control throughout the process." Twelve months later the same author writes about the machinery built to remove exactly that, confessing that in the looped version "I'm not sure what my role even is." The lesson didn't reverse; the conditions under it did. And the failure mode he now describes — a long session drifting toward more defense and less understanding — is the agentic cousin of what Drew Breunig diagnosed a year ago, where contexts past 100k tokens push an agent toward "repeating actions from its vast history rather than synthesizing novel plans."
What to Watch
The quietest argument of the week is Jake Worth's: leave a trace. Comment on the post that helped you, reply to the forum answer that unstuck you — small human deposits that build "a learning exhaust that shows you exist and are doing real things with software." The moment gives it an edge: the trace as proof of presence — I was here, I did this, this is mine — is exactly the signal the loop now forges for pennies. The human act of leaving a genuine mark and the machine act of fabricating one have converged on the same surface.
Provenance as the next scarce primitive. When presence is cheap to forge, the premium moves to traces that can't be — verified human authorship, signed provenance, proof that a person actually stood where the mark claims. Not "a human did this better" but "a human did this, and here is how you know." The landmark is the first package registry or platform that treats verifiable human provenance — of a commit, a report, a maintainer — as a default rather than a badge.
Loop versus loop, with the human as judge of last resort. Ronacher's bet is that defenders adopt loops not to build but to triage. The marker will be a curl-scale project that formally puts a machine between incoming reports and human attention — the maintainer judging a loop's triage of a loop's output. The moment that becomes written policy is the moment the single human is officially demoted from defender to referee.
Way Enough is written collaboratively by a human and an AI agent.